From owner-freebsd-questions@FreeBSD.ORG  Wed Jun  6 18:50:26 2012
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id CEB801065674
	for <freebsd-questions@freebsd.org>;
	Wed,  6 Jun 2012 18:50:26 +0000 (UTC)
	(envelope-from dan@dan.emsphone.com)
Received: from email2.allantgroup.com (email2.emsphone.com [199.67.51.116])
	by mx1.freebsd.org (Postfix) with ESMTP id 8C0DC8FC1D
	for <freebsd-questions@freebsd.org>;
	Wed,  6 Jun 2012 18:50:26 +0000 (UTC)
Received: from dan.emsphone.com (dan.emsphone.com [172.17.17.101])
	by email2.allantgroup.com (8.14.4/8.14.4) with ESMTP id q56IoIHW037414
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Wed, 6 Jun 2012 13:50:18 -0500 (CDT)
	(envelope-from dan@dan.emsphone.com)
Received: from dan.emsphone.com (smmsp@localhost [127.0.0.1])
	by dan.emsphone.com (8.14.5/8.14.5) with ESMTP id q56IoI6T084159
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Wed, 6 Jun 2012 13:50:18 -0500 (CDT)
	(envelope-from dan@dan.emsphone.com)
Received: (from dan@localhost)
	by dan.emsphone.com (8.14.5/8.14.5/Submit) id q56IoIsA084158;
	Wed, 6 Jun 2012 13:50:18 -0500 (CDT) (envelope-from dan)
Date: Wed, 6 Jun 2012 13:50:18 -0500
From: Dan Nelson <dnelson@allantgroup.com>
To: Michael Sierchio <kudzu@tenebras.com>
Message-ID: <20120606185018.GA67937@dan.emsphone.com>
References: <20120606183127.68447106566B@hub.freebsd.org>
	<CAHu1Y71_JwPSv13WQJXmkBX=bjCzhuW7+SPxwuz_1=o9qckpsw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAHu1Y71_JwPSv13WQJXmkBX=bjCzhuW7+SPxwuz_1=o9qckpsw@mail.gmail.com>
X-OS: FreeBSD 8.3-PRERELEASE
User-Agent: Mutt/1.5.21 (2010-09-15)
X-Virus-Scanned: clamav-milter 0.97.2 at email2.allantgroup.com
X-Virus-Status: Clean
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.6
	(email2.allantgroup.com [172.17.19.78]);
	Wed, 06 Jun 2012 13:50:18 -0500 (CDT)
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,T_RP_MATCHES_RCVD
	autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	email2.allantgroup.com
X-Scanned-By: MIMEDefang 2.68 on 172.17.19.78
Cc: "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org>,
	Simon <simon@optinet.com>
Subject: Re: Proper Port Forwarding
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Jun 2012 18:50:26 -0000

In the last episode (Jun 06), Michael Sierchio said:
> On Wed, Jun 6, 2012 at 11:31 AM, Simon <simon@optinet.com> wrote:
> 
> > This easily causes DoS for when too many FIN_WAIT_2 are created and IPFW
> > stops forwarding using the rule above because of "too many dynamic
> > rules"
> 
> Change the defaults for the fw.dyn sysctl MIB nodes
> 
> to something like
> 
> net.inet.ip.fw.dyn_short_lifetime=3
> net.inet.ip.fw.dyn_udp_lifetime=3
> net.inet.ip.fw.dyn_rst_lifetime=1
> net.inet.ip.fw.dyn_fin_lifetime=1
> net.inet.ip.fw.dyn_syn_lifetime=10

Or raise net.inet.ip.fw.dyn_max to a larger number.  The default 4096 may be
too small.

-- 
	Dan Nelson
	dnelson@allantgroup.com